'13 Nagios Vulnerabilities, #7 will SHOCK you!' by Samir Ghane | PT SWARM
"13 Nagios Vulnerabilities, #7 will SHOCK you!" by Samir Ghanem
Gaining access to Nagios XI server results in upstream compromise of management server, i.e. every other customer monitored. Exploitation facilitated with soygun tool.
Contents: • TL;DR • Why Nagios? • What is Nagios? • The Code • Challenge Accepted • What are we trying to achieve? • Step 1: RCE on Nagios XI server from low privilege Nagios XI user (CVE-2020-28648) • Step 2: Elevate privileges to ‘root’ on Nagios XI server (CVE-2020-28910) • Step 3: Trigger XSS by tainting data returned to Nagios Fusion from XI (CVE-2020-28903) • Step 4: Authenticated remote code execution on Nagios Fusion (CVE-2020-28905) • Step 5: Elevate privileges from apache to root using the ‘cmd_subsys.php’ (CVE-2020-28902) • Step 6: Get list of “fused” XI servers and exploit them using Step 1 and 2 • PoC or Attack Platform • SoyGun • Command & Control (C2) • SoyGun Implant • DeadDrop • Demo • Disclosure and Afterthoughts • Full Vulnerabilities List
Positive Technologies Offensive Team: twitter.com/ptswarm. This is the channel where we share articles/vulnerabilities/scripts/etc, not necessarily authored by us, that we find interesting...